Connect with us

Hi, what are you looking for?



Microsoft Patches 19 Critical Browser Vulnerabilities

Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.

Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.

The critical vulnerabilities are memory corruption issues that can be exploited for remote code execution in the context of the targeted user. The security holes – in most cases related to the browser’s scripting engine – can be exploited by getting the target to visit a specially crafted website or a site that serves malicious ads (i.e. malvertising).

These flaws were reported to Microsoft by researchers at Google, Palo Alto Networks, McAfee and Qihoo 360. The Google Project Zero researcher known as Lokihardt has again been credited for finding many of the weaknesses.

Trend Micro’s Zero Day Initiative (ZDI) pointed out that one interesting vulnerability, albeit rated only “important,” is CVE-2017-11927, an information disclosure flaw in Windows that “takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files.” The issue affects the Windows its:// protocol handler – ITS, or InfoTech Storage Format, is the storage format used in CHM files.

“In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update,” ZDI explained in a blog post. “It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info. If an attacker can get the target to disclose the user’s NTLM hash, they could then attempt a brute-force attack to obtain the corresponding password.”

The list of vulnerabilities fixed this month also includes information disclosure flaws in Office, a spoofing issue in Exchange, a privilege escalation bug in SharePoint, and a remote code execution vulnerability in Excel.

According to Microsoft, none of the vulnerabilities patched this month have been exploited in attacks or disclosed publicly before fixes were released.

Advertisement. Scroll to continue reading.

Earlier this month, Microsoft informed users that it had released a patch for a critical remote code execution vulnerability affecting its Malware Protection Engine. The flaw, discovered by the UK’s National Cyber Security Centre (NCSC), can be exploited to take control of the targeted system.

After publishing an advisory with information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol, Microsoft announced on Tuesday that it has released a defense-in-depth update that disables DDE in supported versions of Word.

Adobe has only patched one moderate severity vulnerability in Flash Player this Patch Tuesday.

Related: Microsoft Patches Zero-Day, Many Other Flaws

Related: Microsoft Patches Office Zero-Day Used to Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.